Chapter 9 - 04 - Application Security Testing Techniques and Tools - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Application Security

Module Flow

Understand Secure Understand Secure
Application Design and Application, Development,
Arxchitecture o i 9 Deployment, and Automation

v RT
FLCETT T TIE
\
Understand Software Application Security
Security Standards, Models, 9 ( o Testing Techniques and
and Frameworks Tools

Copyright © by EC: Al Rights Reserved. Reproduction is Strictly Prohibited

Application Security Testing Techniques and Tools
The primary objective of application security testing is to detect flaws or vulnerabilities
associated with source code. Application security testing techniques and tools assist developers
in detecting all the potential security weaknesses and in making changes to the code to fix the
weaknesses. This section discusses various application security testing techniques and tools.

Module 09 Page 1188 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Static Application Security Testing (SAST)
SAST, also known as
It should be performed
secure code review, is one of
toward the end of the source
the software security
code development when
assurance approach to identify
application code is stable or
security-related weaknesses
nearly completed
in the code

It involves detailed
systematic inspection of
source code to detect
O @
< o Security professionals use
tools such as Coverity Static
Application Security Testing,
vulnerabilities and design Appknox, AttackFlow, etc. to
flaws perform SAST

Static Application Security Testing (SAST)
SAST, also known as secure code review, is one of the software security assurance approach to
identify security-related weaknesses in the code. It involves detailed systematic inspection of
source code to detect vulnerabilities and design flaws. It should be performed toward the end
of the source code development when application code is stable or nearly completed. It should
always be performed in combination with human effort (Manual) and technology support
(Automated). SAST aims to detect application security vulnerabilities and their root causes
when code is not running.
SAST tools assist developers in testing the source code to discover and report design flaws
associated with the application, which can open doors for various attacks. It also ensures that
the source code is compliant with defined rules, standards, and guidelines. Security
professionals use tools such as Coverity Static Application Security Testing, Appknox,
AttackFlow, bugScout, and PT Application Inspector, to perform SAST.

Module 09 Page 1189 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

»| Types of SAST
-

Automated Source Code Analysis Manual Source Code Review

» Itis also known as Static Code Analysis 7» Itinvolves manually inspecting the
(scAa)
(SCA) source code line by line to detect any
~ ~-. defects and security related flaws
>» It uses certain source code analysis
tool to scan the code and report
potential flaws

Types of SAST
= Automated source code analysis
It is also known as Static Code Analysis (SCA). It uses certain source code analysis tool to
scan the code and report potential flaws.

= Manual
Manual source code review

It involves manually inspecting the source code line by line to detect any defects and
security related flaws.

Module 09 Page 1190 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

S Dynamic Application
Dynamic Application
A% Securi ty Testin
Security g (DAST)
Testing
4
DAST is a security testing technique which involves simulating attacks
against the application and analyzes how the application behaves

The application is tested dynamically from the outside when
application is running

DAST is generally performed by the penetration testers or security
practitioners on a working system in pre-production, a test
environment, or even in production

Security professionals use tools such as Netsparker, Acunetix
Vulnerability Scanner, HCL AppScan, etc. to perform DAST

These scanners believe in fuzzing the application inputs with attack
payloads in order to detect security weaknesses

Dynamic Application Security Testing (DAST)
DAST is a security testing technique which involves simulating attacks against the application
and analyzes how the application behaves. The application is tested dynamically from the
outside when application is running. DAST is generally performed by the penetration testers or
security practitioners on a working system in pre-production, a test environment, or even in
production. These individuals typically uses automated web application vulnerability scanners
to conduct DAST. These scanners believe in fuzzing the application inputs with attack payloads
in order to detect security weaknesses.

DAST tools execute on running code to identify issues related to interfaces, requests/responses,
sessions, scripts, authentication processes, code injections, etc. Security professionals use tools
such as Netsparker, Acunetix Vulnerability Scanner, HCL AppScan, Micro Focus Fortify on
Demand, and Appknox, to perform DAST.

Module 09 Page 1191 Certified Cybersecurity Technician Copyright © by EC-Council
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

Types of DAST
Automated Application Vulnerability Manual Application Security
Scanning Testing

0O
O Security tester uses classic application O Security tester uses proxy-based security
security scanners to scan the web testing tools to craft and send request
application for vulnerabilities manually and analyze the responses
from the application

Types of DAST
= Automated Application Vulnerability Scanning
Security tester uses classic application security scanners to scan the web application for
vulnerabilities.

= Manual Application Security Testing
Security tester uses proxy-based security testing tools to craft and send request
manually and analyze the responses from the application.

Module 09 Page 1192 Certified Cybersecurity Technician Copyright ©© by EC-Council
EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Application Security

SAST vs DAST S By, ~Arbd
44 L

m p‘f()hfi

White box security testing Black box security testing

Requires a source code Requires a running application

Finds vulnerability earlier in SDLC Finds the vulnerability towards the end of SDLC

Less expensive to fix vulnerability More expensive to fix vulnerability

Runtime and environment related Runtime and environment related issues can be
issues can’t be discovered discovered

Typically supports all kinds of Typically scans only apps like web application and
software web services

SAST vs DAST
The table given below summarizes the differences between SAST and DAST:

SAST DAST

White box security testing Black box security testing
Requires a source code Requires a running application

Finds vulnerability earlier in SDLC Finds the vulnerability towards the end of SDLC
Less expensive to fix vulnerability More expensive to fix vulnerability

Runtime and environment related issues Runtime and environment related issues can be
can’t be discovered discovered

Typically scans only apps like web application
Typically supports all kinds
of software
ypicaily supp ! w and web services

Table 9.2: SAST vs DAST

Module 09 Page 1193 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.